US20140280969A1 - Load Balancer and Related Techniques - Google Patents

Load Balancer and Related Techniques Download PDF

Info

Publication number
US20140280969A1
US20140280969A1 US14/200,935 US201414200935A US2014280969A1 US 20140280969 A1 US20140280969 A1 US 20140280969A1 US 201414200935 A US201414200935 A US 201414200935A US 2014280969 A1 US2014280969 A1 US 2014280969A1
Authority
US
United States
Prior art keywords
load
virtual machine
network
physical
network traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/200,935
Other versions
US9253245B2 (en
Inventor
Conrad N. Wood
Achim Weiss
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Profitbricks GmbH
Original Assignee
Profitbricks GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Profitbricks GmbH filed Critical Profitbricks GmbH
Priority to US14/200,935 priority Critical patent/US9253245B2/en
Priority to PCT/US2014/027112 priority patent/WO2014152242A1/en
Assigned to PROFITBRICKS GMBH reassignment PROFITBRICKS GMBH ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: WEISS, ACHIM, WOOD, CONRAD N.
Publication of US20140280969A1 publication Critical patent/US20140280969A1/en
Application granted granted Critical
Publication of US9253245B2 publication Critical patent/US9253245B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload

Definitions

  • the concepts described herein relate generally to data centers and more particularly to virtual data centers.
  • a data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems. It generally includes redundant or backup power supplies, redundant data communications connections, redundant storage devices, environmental controls (e.g., air conditioning, fire suppression) and security devices.
  • a system for balancing network traffic among virtual machines includes a first virtual machine executed by a first physical server connected to a physical network and a second virtual machine executed by a second physical server connected to the physical network.
  • a gateway device is configured to route network traffic through the physical network to and from the first and second virtual machines.
  • a load balancer module is executed by the gateway device. The load balancer module is configured to: at least partially decode the network traffic to identify a destination address of the network traffic; determine if the destination address is the address of a load-balanced virtual machine; and if the destination address is the address of a load-balanced virtual machine, route the network traffic to a destination virtual machine according to a load-balancing scheme.
  • FIG. 1 is a block diagram which illustrates the flow of a packet from a virtual machine residing on physical server to a third party;
  • FIG. 1A is a diagram which illustrates the flow of Pserver to Pserver failover
  • FIGS. 2 and 2A are flow diagrams which illustrates a process of sending a packet from a virtual machine residing on a physical server of a data center to a third party;
  • FIGS. 3 and 3A are flow diagrams which illustrates a process of sending a packet from a third party to a virtual machine residing on a physical server of a data center;
  • FIG. 4 is a block diagram of a communication network between a pair of virtual machines
  • FIG. 5 is flow diagram which illustrates an exemplary load balancer operating process
  • FIG. 6 is flow diagram which illustrates an exemplary process of load balancer failover handling.
  • a network 10 (illustrated in the form of a network diagram) includes one or more physical servers each of which supports one or more virtual machines (where, as is know in the art, a virtual machine is a computer software application in which when executed on a physical server, simulates a physical computer).
  • physical servers 12 a and 12 b may each execute one or more virtual machines (e.g. virtual machine 14 ).
  • each physical server may also execute one or more encoder/decoder modules, and one or more firewalls.
  • the physical servers also have network interfaces including one or more network cards designated IB 0 and IB 1 in FIG. 1 .
  • Each physical server may be connected via a network to one or more network switches 22 . These network switches may be connected, via a network, to one or more gateways 24 . The gateways 24 may in turn be connected via a network to one or more routers 28 . The routers 28 may provide access to (e.g. be connected to) a wide area network 30 , which may be an internet or a private wide area network. Third party computers 32 may communicate with the virtual machines 14 through the network infrastructure shown in FIG. 1 .
  • the network infrastructure may include one or more load balancer modules (or more simply, “load balancers”) 26 . These load balancers may be resident on and/or executed by the gateway machines. When network traffic arrives for a virtual machines, the load balancer may intercept the traffic and determine which virtual machine the traffic should be sent to. In an embodiment, the load balancer will choose the virtual machine having the least processing load that is capable of handling the traffic.
  • load balancer modules or more simply, “load balancers”
  • load balancers may be resident upon gateway machines within the network infrastructure.
  • the load balancer may partially decode the packet to determine whether the packet is being directed to a virtual machine that is being load balanced, and whether the destination virtual machine is a short cut to an arc or node that is being load balanced. If so, the load balancer then determines which node the packet is being sent to. Once this is determined, the load balancer can direct the packet to an appropriate node according to a load balancing scheme including but not limited to a round robin scheme, lowest load first, fastest throughput scheme, and the like.
  • the load balancer monitors the virtual machines in order to determine their current load.
  • the virtual machines may include software that provides various measurements of performance and load.
  • the load balancer can access these measurements to help in determining whether to send packets to the virtual machine. For example, the load balancer may receive measurements such as network traffic load, processor utilization, hard drive utilization, memory utilization, etc. If a virtual machine has a heavy load, the load balancing algorithm may indicate that the virtual machine is not a good candidate to receive more traffic.
  • the load balancer can also track and retain information about where packets are delivered. For example, if a third party user opens a connection to a load balanced virtual machine, the load balancer can retain information about that connection so that future network packets of the connection are always sent to the same virtual machine instead of being load balanced to other machines. This can eliminate the need for the user to re-authenticate on a different virtual machine if the load balancer changes the destination of the network traffic. For example, if a virtual machine is hosting a website that requires authentication, the connection to the website can remain with a single virtual machine because changing the destination of the packets could require the user to re-authenticate with the website.
  • the load balancer can also determine if a virtual machine is responding to network traffic. If the load balancer sends traffic to a virtual machine, and the virtual machine does not respond within a predetermined time period, the virtual machine may be removed from the load balancer's list of machines that it can send network traffic to.
  • load balancing information is assigned through software.
  • each gateway may make the same routing decision based upon source and destination IP addresses and ports.
  • this technique eliminates the need to synchronize the gateways on which the load balancers are executed.
  • the physical servers send updates about the virtual machines and their processing loads to the load balancers, but there may be no need to synchronize in the other direction and send information from the gateway to the physical server.
  • a physical server bank i.e. a group of servers
  • a number virtual machines may reside on a single physical server.
  • Physical server banks provide physical resources that can be allocated to computing infrastructures.
  • the physical server bank may be divided into a number of virtual machines, where each virtual machine uses a portion of the physical server resources.
  • a single virtual machine may utilize one or more cores of the physical server while in other applications a single virtual machine may utilize a portion of a physical server core (e.g. two or more virtual machines may utilize a single core).
  • a single physical server may be divided into multiple virtual machines in a similar manner.
  • the logical diagram network depicts the arrangement of system infrastructure and can be used to help explain how virtual traffic is routed.
  • the exemplary network of FIG. 1 includes two physical servers 12 a , 12 b and also designated as PERSERVER 1 and PERSERVER 2 in FIG. 1 on which are executing application software to implement virtual machines.
  • Each Pserver has two interfaces, IB 0 and IB 1 , each of which is connected to corresponding ones of a pair of switches SW 1 , SW 2 (i.e. each interface is connected to one a distinct switch).
  • the system comprises only two switches with each switch having 48 ports.
  • a relatively large number of physical servers may be coupled to each switch.
  • Each switch connects to at least one internet gateway and each internet gateway connects to at least one distinct switch on one of the routers.
  • any one wire can fail, any one switch can fail and one any internet gateway can fail, and anyone internet call router can fail, but the system still has full connectivity. It is significant to note that by providing the system having two switches, any one switch can fail and the system remains operational (i.e. the system has redundant paths and a fail over capability).
  • the network of FIG. 1 is shown for exemplary purposes only. Other network infrastructures and topologies can be used as well.
  • infrastructure having redundant wiring and redundant cabling is provided and which can be used if the system is required to operate in a failover mode as described further herein (see “Flow: Pserver to Pserver fail over”).
  • the encoder decides which network path to use for communication, e.g. whether to send network communications to SW 1 or SW 2 , to provide a communication path or another physical server. To make this decision, the system utilizes sessions.
  • a “session” refers to a connection between two virtual network interface cares (NiCs) on different physical servers via the same fabric/network and a “session device” refers to a device associated with a session (one device is attached exactly to one fabric).
  • NiCs virtual network interface cares
  • a “session device” refers to a device associated with a session (one device is attached exactly to one fabric).
  • the system When the system sends traffic between two virtual machines (VMs), the system first checks to see whether traffic has been sent between the two VMs in the past. If the system has sent traffic between two VMs, then a session exists. If the system has not yet sent traffic between the two VMs, then the system decides that there is no pre-existing session. If there is no session, then the system creates a new session. At the beginning, the session on both wires is unresolved because the system does not yet have information about the state of the session.
  • VMs virtual machines
  • the system may continue to check these sessions in the background to determine if communication can be established.
  • certain entries list session 1 , session 2 , or both as unresolved.
  • the system uses both paths to send the same packet.
  • the system adds a sequence number to this packet because the system has the option that either one wire works or the other wire works or both wires work.
  • the system detects whether both packets arrive twice by checking the sequence number and discards one copy so that a client only receives one packet and not two packets, in order to avoid duplicate packets).
  • the system moves the session from the state of “unresolved” to the state of “OK.”
  • the system has the option to utilize any combination of states e.g.: both have failed; both are OK; or one failed and one is OK.
  • system can use the session that is “OK” (as indicated in the first row of the table) and continue sending traffic along the path.
  • a session is indicated as having a status of “Fail” or “Unresolved,” the system performs background checks by continuously or periodically trying to determine whether the session is now working again.
  • the system allows changing a session state at any time and dynamically changes depending upon the actual state of physical wiring (i.e. whether a physical correction can be made).
  • the wiring begins to fail the state changes to Fail, if the wiring begins to operate properly the state changes to “OK”.
  • a session is marked as “Unresolved”, this indicates that a packet has not yet been successfully transmitted and/or received over the session.
  • the OK session is used since it is known to work.
  • the system may choose to test the Unresolved session and not the failed session, because the state of the failed session is already known. Although it is unknown whether the session will work via unresolved, the reason for the unresolved state is simply that the system does not have any information.
  • the system learns the response of that packet (i.e. either that the session goes into a state of Fail or a state of OK). If the packet is sent into an unresolved session, the system will subsequently determine if the session is OK or failed.
  • the customer From a client (or customer) perspective, the customer has an Ethernet network.
  • the customer need not take any steps to make the network redundant, and need not use complicated bonding devices, routing algorithms, the system does all of that for the client designed in the virtual Ethernet.
  • the session information may be kept in the software stack that checks the sessions.
  • the technique described herein provides the customer within redundant network paths without requiring the virtual machine and the operating system of the customer to be configured in a certain way to make use of this redundancy.
  • the system is able to provide a redundancy characteristic without any special requirements on the virtual machine for the third party (i.e. the client need not configure anything on the client).
  • redundancy is required in a way which is transparent to the client. That is, any client can set up a virtual machine with the network and has redundancy automatically built in.
  • FIGS. 2 , 2 A, 3 , 3 A, 5 and 6 are a series of flow diagrams showing the processing performed by a processing apparatus which may, for example, be provided as part of a network such as that shown in FIG. 1 .
  • the rectangular elements (e.g. block 40 in FIG. 2 ) in the flow diagram(s) are herein denoted “processing blocks” and represent steps or instructions or groups of instructions. Some of the processing blocks can represent an empirical procedure or a database operation or process while others can represent computer software instructions or groups of instructions.
  • the diamond shaped elements in the flow diagrams (e.g. block 52 in FIG. 2A ) are herein denoted “decision blocks” and represent steps or instructions or groups of instructions which affect the processing of the processing blocks.
  • some of the processes described in the flow diagram may be implemented via computer software while others may be implemented in a different manner e.g. via an empirical procedure.
  • processing and decision blocks can represent processes performed by functionally equivalent circuits such as a digital signal processor (DSP) circuit or an application specific integrated circuit (ASIC).
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • the flow diagrams do not depict the syntax of any particular programming language. Rather, the flow diagrams illustrate the functional information one of ordinary skill in the art requires to perform the processes or to fabricate circuits or to generate computer software to perform the processing required of the particular apparatus. It should be noted that where computer software can be used, many routine program elements, such as initialization of loops and variables and the use of temporary variables are not shown. It will be appreciated by those of ordinary skill in the art that unless otherwise indicated herein, the particular sequence of processes described is illustrative only and can be varied without departing from the spirit of the invention.
  • FIGS. 2 and 2A a process is shown for sending a packet from a virtual machine (“VM”) to a third party server.
  • the client may add a network card to the VM and, for each network card associated with that virtual machine, the system sends from its database (stack) the information to the physical server (Pserver) to start a VM with a given network card, MAC, a virtual network identifier (ID) (VNET ID), a clientlD, and a virtual gateway client ID.
  • Pserver physical server
  • the virtual gateway ip is an internet protocol (IP) address to which the network reacts or responds in a special way. If the virtual machine sends an IP packet to the IP address of the virtual gateway, then it is intercepted and routed via a virtual gateway ip.
  • IP internet protocol
  • this virtual gateway ip corresponds to the systems of an entire cluster of gateways.
  • a system would have a default router and a default IP address.
  • the system described herein has a cluster and a fully redundant system with many paths and thus the gateway cluster has a relatively large number of IP addresses (e.g. about sixteen 16 different IP addresses in one embodiment) under which they can be reached.
  • the system intercepts the traffic and sends a response to the virtual machine (e.g. an ARP reply response) to say it is a special MAC address that has been fixed throughout the systems (always the same one) which is entered by a network frame to be routed to the gateway.
  • the virtual machine may send a packet out onto the internet.
  • the VM determines that a router is needed (the normal standard routing mechanism)
  • it sends an ARP request for the IP address of its default router.
  • the system recognizes that ARP request because the system has information about the virtual gateway IP address and the system intercepts that packet sends back an ARP reply where the system puts a special MAC address into the MAC frame (i.e. if it is desired to get to the default router, it is necessary to use this MAC address in the internet frame).
  • the virtual machine does so with its standard IP stack and sends out the internet frame with the thus provided MAC address and the system, at that point, uses the redundancy mechanism to determine where to route the packet.
  • the mechanisms described between the physical servers (Pservers) works between gateways (e.g. routed between IB 0 or IB 1 and the system sends the packet to any one of the gateways).
  • gateways e.g. routed between IB 0 or IB 1 and the system sends the packet to any one of the gateways.
  • the purpose of the described technique is to allow the use of redundant gateways.
  • the system includes redundant gateways and redundant internet connections. Thus, if one of the gateways or the internet connections fail, the system utilizes the redundancy stack.
  • the number of gateways are selected based in large part upon the load placed upon the gateways. If the system recognizes that the gateways are busy, then another gateways is added.
  • each physical server can have more than one virtual machine executing thereon.
  • the physical servers are limited to 62 virtual machines (i.e. 62 VMs per Pserver) with capacity to go up to several hundred.
  • a Pserver having 64 CPU cores will host 62 VMs.
  • the limit is set at 62 with 2 being reserved for the system.
  • the limit could be set at 126 with 2 being reserved for the system and so on an so forth.
  • the cores that are held in reserve can be used, for example, to perform maintenance and management tasks on the Pserver. In various embodiments, more or less than 2 cores can be reserved to perform these tasks.
  • the number of VMs per Pserver can be increased. This can reduce hardware cost because the system can place many VMs (e.g. hundreds of VMs onto a single Pserver) which makes operation of the system less expensive.
  • some computed metric can be established to set the number of VMs on a single Pserver, or slices of a core can be assigned to each client which again can establish the number of VMs on a Pserver.
  • the system maps the memory area of the one virtual machine with the data to be sent to the other one into the memory area of the second virtual machine and notifies the second VM that it received data. This results in a very fast switching mechanism and system.
  • the network is dynamic and virtual machines may be moved from Pserver to Pserver relatively frequently.
  • the virtual machines reside on a Pserver for periods of time (e.g. hours or days, or weeks or months), then move to the next Pserver. This is done to continuously optimize the network and cut down on resources which are not being used or which cannot be used. For this reason, the full speed of the switching mechanism may not be made fully available to a client. If the full speed of this switching mechanism to were provided to a client, then they may observe a varying speed because, in such an embodiment, sometimes the VM must communicate with the same machine and sometimes the VM must communicate over the network.
  • the traffic is moved from one virtual machine to another using CPU-Cycles assigned to the Virtual machine(s) related to the move of data.
  • the Pserver may introduce a delay between the time the memory is mapped and the time the recipient can access the mapped data.
  • the mapping operation may require only a single instruction to be executed by the CPU in order to map the entire set of data being communicated to the recipient. Because the mapping operation happens quickly, the recipient machine may not be ready to receive the data. Thus, adding a delay can reduce errors relating to the mapping of the data.
  • the gateway is configured to only communicate via IP to the outside world, i.e. the system may be configured to not support IPX or IPN routing to the outside. In other embodiments, the gateway may be configured to support IPX or IPN routing to the outside.
  • the system may determine that it is a virtual machine (VM) on a local LAN that is sending the packet to the gateway. In this case, the packet is taken and re-injected (i.e. forwarded by the gateway) into the LAN. This is done provided the virtual network ID (VNET ID) matches the network ID which sent the packet. Thus, even if the gateway is used, it may prevent packets from crossing borders between virtual networks. Thus, the system can prevent one client from injecting traffic into or receiving traffic from another client's network. In such cases, the packet may be either bounced and re-injected or dropped.
  • VM virtual machine
  • VNET ID virtual network ID
  • the system determines whether the IP address that the virtual machine sends is an address that is connected to the same network cluster as the system, or whether it is connected to an external network, such as the internet.
  • a client may wish to browse the website from another client hosted by the same data center.
  • the system may allow network traffic to flow from one client to another client (i.e. if a client has a website that is publically accessible, the server can be accessible from other client within the data center).
  • IPv4 If the IPv4 is local, then the system changes the virtual network ID or client ID to one of the VM IDs in the network cluster and sends it back onto the network. If it is not local, then the packet is sent to the core routers and the packet is routed through the internet.
  • the entire system is redundant and that the system can simulate (from the virtual machine) a single gateway at least in part because the gateway clusters are addressable with a single address.
  • the system may not require knowledge that a large number of gateways exist.
  • the virtual machine is configured relatively simply and the standard configuration of a VM with a default router will lead to access to a number of different gateways and routing traffic throughout the network to simulate a router as much as possible, but in a redundant and performance enhancing way.
  • the entire system can be scaled to provide increased or decreased performance (e.g. increased or decreased network bandwidth) such that, if desired, it is never necessary to have a bottleneck. This occurs due to the ability to add gateways, Pservers and other resources.
  • the system assigns the same virtual IP addresses and virtual MAC addresses to physical gateways. This is significant because many clients may have different IP addresses (e.g. clients having a private network address of 10.1.1.1. or 172.21.1). Thus, in the network of the system described herein, the same IP address can be used for multiple network devices attached to different virtual networks. For example, multiple devices can have the IP address 10.1.1.1 if so desired.
  • the system described herein allows a client to use their preferred IP addresses or network, and the system provides the client with an IP address of a gateway corresponding to the chosen subnet.
  • the system may provide a virtual gateway with an IP address of 10.1.1.254 (or any other address within the subnet 10.1.1.xxxx).
  • IP address 10.1.1.254
  • clients are free to use whatever subnets or IP address ranges they desire.
  • processing or flow which takes place when a packet is sent from a virtual machine (e.g. VM 1 in FIG. 1 ) to a third party host (e.g. third party host 32 in FIG. 1 ) first begins in processing block 40 in which a configuration process is performed. During configuration, network interface cards (NiCs), client identifiers (IDSs), virtual-gateway-internet-protocol addresses and media access can ( )addresses are established and configured. Processing then flows to processing block 42 in which a guest-IP stack sends an address resolution protocol (ARP) multicast for a virtual gateway IP.
  • ARP address resolution protocol
  • an ARP reply by an ARP spoofer in an encoder is provided on a physical server (Pserver).
  • Pserver physical server
  • the Guest-IP stack sends a packet to a gateway MAC (to be encoded).
  • Processing then flows to processing block 48 in which the encoder determines the gateway to which it should send packets. It should be noted that in preferred embodiments, redundant, physical paths exist for each single virtual path. Processing then flows to processing block 50 , in which the decoder on the gateway receives the packet.
  • Processing then proceeds to decision block 52 in which a determination is made as to whether the destination is IPV4 public. If it is determined that the destination is not public, then processing flows to decision block 54 where a decision is made as to whether a source VNET ID is equal to a destination VNET ID. If it is determined that the two values are not equal then the packet is dropped. If it is determined that the values are equal then the packet is re-injected into the network traffic.
  • decision block 52 If in decision block 52 a decision is made that the destination is public, then processing flows to decision block 60 in which it is determined whether the IPV4 address is local to the gateway cluster. If a decision is made that the address is not local to the gateway cluster then processing flows to processing block 64 and the packet is sent to a router. If, on the other hand, a decision is made that the packet is local to the gateway cluster then processing proceeds to processing block 62 where the VNET ID and CLIENT ID are swapped and the packet is re-encoded.
  • the flow of a packet from a third party server to a virtual machine begins by configuring a NiC and all gateways as shown in processing blocks 70 and 72 .
  • processing block 74 a packet arrives at one of a plurality of gateways (e.g. gateway GWn) and then processing proceeds to decision block 76 , in which a decision is made as to whether the IPV4 addresses exists in a match list. If the address does not exist in the match list, then the packet is dropped as shown in processing block 78 .
  • gateway GWn a plurality of gateways
  • processing proceeds to processing block 80 in which a packet is created and the packet is then sent to the appropriate physical server (PSERVER) as shown in processing block 82 .
  • PSERVER physical server
  • Processing then proceeds to decision block 84 where a decision is made as to whether the destination MAC address exists.
  • a mac-address management tool such as MC-Setup or a custom software tool, can be used to make the determination. If in decision block 84 a decision is made that the destination MAC address does not exist, then the packet is dropped as shown in processing block 85 .
  • processing proceeds to decision block 86 in which a determination is made as to whether the source VNET ID is equal to the destination VNET ID. If the two values are not equal, then the packet is dropped as shown in processing block 85 . If the values are equal, then processing proceeds to decision block 88 where a decision is made as to whether the address is local to physical server PSERVER. If a decision is made that the address is local, then processing proceeds to processing block 90 where the packet is decapsulated and delivered to the appropriate virtual machine. Otherwise, processing flows to processing block 92 where the packet is forwarded to a remote server and the processing begins again at decision block 84 .
  • the system sends information to the Pserver.
  • the system may send a packet from the internet to the virtual machine.
  • the gateways are configured with the MAC address of the VMs with the public IPv4 address, the client ID and the V-Net ID. This is referred to as an IP Match Entry.
  • the system has a list that is called IP-Match and these four numbers together are referred to as an IP Match Entry.
  • the list is held in a table in kernel space on the gateway (e.g. in the NiC of the gateway) and is used to translate public IPv4 address into virtual machine addresses.
  • the virtual machine addresses can include one or more of: IPv4 addresses, IPv6 addresses, customer IDs virtual machine IDs, PServer IDs, etc.
  • the database connects directly to the gateways directly (i.e. the database communicates with the gateways and request that an IP Match Entry be added to the gateway).
  • the gateways are configured from the Pserver. This is done since the information needed by the gateway is actually on the Pserver. Thus, when a Pserver starts a VM, the Pserver multicasts to the gateways the information it has and the gateways add this information to their IP Match and tables.
  • the packet When the packet arrives on the gateway (e.g. the IPv4 packet arrives), the packet goes into the encoder and the system determines whether there is a match in the IP Match Table. If no match is found, the packet is dropped. It is assumed the IP Match Entry Table has a complete list of all IP addresses that run in the data center. Because of the cluster and zone environment approach used, a high degree of confidence exists in this assumption.
  • the IP Match List is optimized to accommodate the large number of addresses (e.g. millions of IP addresses) and the system can simply match the addresses.
  • the IP Match List can be stored as a tree or other data structure to reduce the time required to search the IP Match List for an entry.
  • the system creates an ethoip6 packet, which uses the same mechanisms to create the IPv6 destination IP address from the net prefix and the MAC (the Net Prefix is an IPv6 identifier of the cluster and is added to the MAC).
  • the MAC received the IP Match Entry so it has a complete IPv6 destination address to which to send the traffic.
  • the IPv6 source address is the interface of the gateway from which it was received. Therefore, the system can distinguish whether the traffic came through one, two, three or N gateways.
  • the system also adds the header with the remaining bit from the IP Match Entry.
  • the IPv6 packet is transmitted to the physical server (PSERVER, in FIG. 1 ), at which point the same redundancy mechanism over two wires (described above) will be used. Therefore, the traffic will eventually arrive at a physical server destination and be processed in manner the same as or similar to that described above.
  • PSERVER physical server
  • the system determines whether a destination MAC address belongs to the virtual machine and whether the source v-net id is the same as the destination v-net id. If so, the system checks to see whether the address is local to the Pserver. If a packet is received by the Pserver, the system determines whether there is an entry in the routing table on the Pserver. If so, the system can determine that the packet should be sent to one of the virtual machines, and forwards the packet to the virtual machine.
  • the Pserver forwards the packet to the proper Pserver, or re-inserts the packet into the network.
  • virtual machines may be moved from Pserver to Pserver.
  • virtual machines move from Pserver to Pserver they can continue to receive network traffic.
  • Virtual machines may move from Pserver to Pserver for a variety of reasons including, but not limited to: the inability to add more VMs to a Pserver; a Pserver not operating; a Pserver being overloaded, etc.
  • the network traffic and I/O traffic it is possible to measure characteristics such as network traffic and I/O traffic and optimize to that as well. For example, if there are ten virtual machines that send each other a large amount of network traffic, it may be beneficial for them to reside on the same Pserver. Doing so can result in more efficient use of the hardware. For example, if the virtual machines reside on the same Pserver, the traffic between the virtual machines need not be inserted onto the physical network between Pservers.
  • the client can request a VM to be moved to or from a particular Pserver.
  • the client may request that different VMs be executed by Pservers in different physical locations for security or reliability purposes.
  • Virtual machines 100 and 146 may be software applications stored in computer readable storage medium and executable by a processor.
  • the virtual machines 100 and 146 may simulate computers, i.e. they may provide services similar to or the same as services provided by a desktop computer, a server, a laptop, a cell phone, a mobile device, etc.
  • the services provided by virtual machines 100 and 146 may include communication services, an operating system, hardware simulation, data processing services, etc.
  • Each virtual machine 100 and 146 may also include a virtual (i.e. software based) processor that can execute computer readable code and software.
  • a first virtual machine 100 includes a virtual network interface card (NIC) 102 and may include a MAC address 104 .
  • virtual machine 146 may include a NIC 148 and a MAC address 150 .
  • NIC 102 and 148 may be virtual (i.e. software based) NIC cards that are part of the virtual machines 100 and 146 .
  • the MAC addresses 104 and 150 may be stored in memory and may provide the virtual NIC cards 102 and 148 with unique MAC addresses.
  • Virtual machines 100 and 146 may be implemented by physical servers.
  • Physical servers may comprise physical hardware, e.g. a server computer, a series of server computers, etc.
  • a physical server may have multiple computer processor chips (processors).
  • a physical server may, for example, have 1, 2, 4, 8, 32, 64, or more physical processors. These processors, along with other hardware and software resident in the physical server, may execute code that implements the virtual machines.
  • the physical servers may also include other processing resources such as Ethernet cards (e.g. Ethernet cards 138 and 122 ), memory, storage such as hard disk drives, etc.
  • each physical server may implement more than one physical machine.
  • a physical server may implement a number of virtual machines up to the number of physical processors in the server. For example, if a physical server has 64 processors, it may implement up to 64 virtual machines, each virtual machine having a physical processor assigned to it.
  • a physical server having 64 processors may reserve some of the processors for other functions, such as executing software or an operating system required to run on the physical server. For example, a physical server may reserve 62 processors for executing virtual machines, and may reserve 2 processors for executing other software.
  • the physical server may assign multiple processors to a virtual machine.
  • a virtual machine that requires more processing power may, for example, have 2, 4, 8, or more processors assigned.
  • a single physical processor in the physical server may be assigned to more than one virtual machine.
  • the physical server may reserve one or more processors to run other tasks and execute other software apart from the virtual machines. For example, the physical server may assign one or more processors to run the server's operating system, the server's processes, or other administrative and maintenance processes that help the physical server operate.
  • the virtual machines can also be scaled to be more or less powerful, depending upon a customer's needs for the virtual machine. If it is desired that the virtual machine scale up and become more powerful, the physical server can assign additional processors (and/or additional other computing resources) to the virtual machine. If it is desired that the virtual machine scale down and become less powerful, the physical server can re-assign processors and other resources from the virtual machine.
  • Each physical server may include one or more gateways having an encoder/decoder module (i.e. encoder/decoder 144 and encoder/decoder 108 ). These encoder/decoder modules may encode network traffic generated by the virtual machines, and/or decode network traffic received by the virtual machines.
  • VM 1 a first virtual machine, VM 1 , having one or more network interface cards (NiC) (with only one network interface card NiC1 being shown in FIG. 4 ) and one or more corresponding media access control (MAC) addresses with one MAC address MAC 1 being shown in the exemplary embodiment of FIG. 4 .
  • NiC network interface cards
  • MAC media access control
  • Each separate NiC has at least one MAC address.
  • encoder/decoder 108 When the first virtual machine transmits a packet to a second virtual machine 146 , encoder/decoder 108 operates as an encoder and encoder/decoder 144 operates as a decoder. The opposite is, of course, true when VM 146 transmits a packet to VM 100 .
  • Each MAC address is unique and centrally provisioned (i.e. uniquely assigned from a database). Thus, all MAC addresses are unique throughout the entire system.
  • VM 1 sends a packet to the encoder (IPv6dst)
  • the encoder receives the packet with no special VLAN tagging required (i.e. it receives any ip traffic, ipx traffic, IPv6 traffic) and encodes it.
  • IPv6dst IPv6 destination address
  • source address IPv6dst
  • header IPv6 header
  • IPv6 addresses are used to route the Ethernet frame around the global network.
  • the system calculates (i.e. derives) the IPv6 destination address by adding a network prefix, which is fixed in a data center (where each data center may have a certain network prefix).
  • the system then attaches the MAC address to the packet.
  • the IPv6 address corresponds to the data center and/or the virtual machine's MAC address.
  • the same process is used for the source address (i.e. the MAC address of the sending destination IPv6 of the virtual machine (e.g. IPv6 address of VM 2 in FIG. 4 which is where the traffic is going).
  • the system can produce frames and other network traffic guaranteed to arrive at the right physical machine, because that is where IPv6 address is added.
  • IPv6 address is added.
  • the system makes sure that an IPv6 address is also added to the physical host (e.g. the physical server and/or a NIC card in the physical server) that corresponds to the MAC address.
  • the packet header includes a client id (e.g. a customer identifier) of the VNET ID.
  • the client ID is also recorded in other parts of the system.
  • the client ID is associated with network traffic generated by VMs of the client, included in databases relating to client billing, etc.
  • the VNET ID is a network identifier. Since a particular client can have multiple networks, VNET IDs are used to identify one or more of the client's networks. Both client IDs and VNET IDs are unique identifiers and may be assigned or tracked by a database.
  • the decoder reads the information in the header and checks whether the virtual network id of the sending virtual machine is the same as or matches that of the receiving virtual machine. This way the system makes sure that Ethernet frames from one virtual network only stay in that virtual network. For example, this helps prevent traffic generated by one client's virtual machines from arriving at the virtual machine of another client. This is the system attaches the virtual network id in the header (i.e. the system handles this aspect, rather than the client) and is enforced in the network stack.
  • the system strips away the header, examines the IPv6 destination and source, unpacks the Ethernet frame that the virtual machine 1 (VM 1 ) has created, and feeds the Ethernet frame to virtual machine two (VM 2 ), which then simply sees an Ethernet frame arriving.
  • VM 1 virtual machine 1
  • VM 2 virtual machine two
  • Each physical server may also implement one or more firewalls, such as firewalls 110 and 142 .
  • these firewalls may be software-based firewalls that are executed by the core of a virtual machine. Accordingly, there may be a firewall for each virtual machine. This may allow the firewall to scale as the virtual machine scales. For example, if additional processors are allocated to the virtual machine to make the virtual machine run faster or more powerfully, the firewall may also run faster and more powerfully because it is executed by the core of the virtual machine. This means that the firewall can operate at top speed, or “line” speed because as the virtual machine becomes more powerful and requires more network traffic, the virtual machine also becomes more powerful and can handle the additional network traffic. Also, if a virtual machine is transferred or moved from one physical server to another, the firewall can also move with the virtual machine.
  • each firewall implemented by a physical server can include a set of rules that is a superset of multiple firewalls.
  • each firewall can include a super-set of rules and filters so that a hierarchy of firewalls is not necessary.
  • the firewall can also be configured to have custom traffic filters.
  • network packets in a virtual network between two virtual machines may include custom headers.
  • These headers may include additional information that is not usually found in traditional network traffic.
  • the header may include an identifier of the recipient virtual machine, an identifier of the sender virtual machine, an identifier of a client who owns the virtual machine, an identifier of a recipient or source network of the packet, and identifier of a virtual network, etc.
  • These custom filters can allow or reject traffic based on any combination of information in the custom header.
  • a firewall rule can be set up to check the header of network traffic, compare it to some or all of the custom header information, and reject any traffic coming from a particular virtual machine, except for traffic coming from port 22 of the virtual machine, for example.
  • These custom rules can also help to prevent spoofed or fake packets from getting through to a virtual machine by providing additional methods of data validation, and by providing filters that are not dependent upon traditional network traffic identifiers such as IP address or MAC address.
  • load balancer decision flow at a gateway begins in block 160 where an incoming IP Packet is received. Next a decision is made as to whether the destination IP address exists in an internal match table. If the address is not in the match table then the packet is dropped as shown in processing block 164 . Otherwise processing proceeds to decision block 166 where a decision is made if the destination MAC address exists in an internal match table. If it does not exist then processing proceeds to block 168 where the packet is processed as a non-load balanced packet. Otherwise processing proceeds to decision block 170 where a determination is made as to whether the entry exists for a search IP address and port and a destination IP address. If no match exists then processing proceeds to block 172 and the destination MAC address is used for sending the packet. Processing then proceeds to block 174 where the packet is wrapped into ethoip6 and transmitted to the destination MAC.
  • decision block 170 processing flows to decision block 176 where a lookup is made for the destination IP LB-configuration in the LB realm table. If the entry is not found then the packet is dropped as shown in processing block 178 . If the entry is found, then processing proceeds to decision block 180 where a destination MAC is chosen. If no destination MAC is found, then the packet is dropped as shown in processing block 178 . If the destination MAC is found then processing flow to processing block 182 where a cache entry session is created. Processing then flows back to decision block 170 .
  • processing block 190 a process for load balancer failover handling is shown.
  • processing block 190 a customer defined wait period is observed. Processing then flows to decision block 192 , where a ping is sent to a desired destination. If a correct reply is not received then processing flows to decision block 194 where a decision is made as to whether the NiC should be marked as inactive. If the NiC should not be marked as inactive, then processing returns to processing block 190 . If a decision is made that the NiC should be marked as inactive, then processing flows to processing block 196 and a message is sent to the appropriate gateway for deactivation of the LB node. Processing then proceeds to block 198 where the NIC of the virtual machine is marked as deactivated. Processing then returns to processing block 190 . It should be noted that the processing in decision blocks 200 - 206 is optional.
  • decision block 192 If in decision block 192 the check is okay, then processing flows to decision block 200 where a check is made to determine if a service port on the destination IP is reachable. If the check fails, then processing flows to decision block 194 .
  • processing proceeds to decision block 202 where a UDP is checked. If the UDP check fails then processing flows to decision block 194 . If the UDP check succeeds, then processing flows to decision block 204 where a TCP reply is checked. If the TCP reply fails then processing flows to block 194 . If the TCP reply is okay then processing flows to decision block 206 where more tests may be performed. If the any of the tests fail, then processing flows to block 194 , otherwise, processing flows to decision block 208 .
  • decision block 208 a decision is made as to whether the NIC should be marked as deactivated. If the NIC should not be marked as deactivated, then processing flows to block 190 . If a decision is made that the NIC should be deactivated then processing flows to blocks 210 and 212 where the NIC of the VM is marked as deactivated and a message is sent to the gateway to activate the LB-Node.
  • the systems and methods described herein may be implemented hardware, software, or a combination.
  • Software may comprise software instructions stored on one or more computer readable medium which, when executed by one or more processors, cause the processors to perform operations that implement the systems and methods.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system for balancing network traffic among virtual machines includes a first virtual machine executed by a first physical server connected to a physical network and a second virtual machine executed by a second physical server connected to the physical network. A gateway device is configured to route network traffic through the physical network to and from the first and second virtual machines. A load balancer module is executed by the gateway device. The load balancer module is configured to: at least partially decode the network traffic to identify a destination address of the network traffic; determine if the destination address is the address of a load-balanced virtual machine; and if the destination address is the address of a load-balanced virtual machine, route the network traffic to a destination virtual machine according to a load-balancing scheme.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application claims priority to and benefit of U.S. Provisional Patent Application No. 61/801,391 (filed Mar. 15, 2013), which is incorporated here by reference in its entirety.
  • FIELD
  • The concepts described herein relate generally to data centers and more particularly to virtual data centers.
  • BACKGROUND
  • As is known in the art, a data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems. It generally includes redundant or backup power supplies, redundant data communications connections, redundant storage devices, environmental controls (e.g., air conditioning, fire suppression) and security devices.
  • SUMMARY
  • A system for balancing network traffic among virtual machines includes a first virtual machine executed by a first physical server connected to a physical network and a second virtual machine executed by a second physical server connected to the physical network. A gateway device is configured to route network traffic through the physical network to and from the first and second virtual machines. A load balancer module is executed by the gateway device. The load balancer module is configured to: at least partially decode the network traffic to identify a destination address of the network traffic; determine if the destination address is the address of a load-balanced virtual machine; and if the destination address is the address of a load-balanced virtual machine, route the network traffic to a destination virtual machine according to a load-balancing scheme.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The foregoing features of this invention, as well as the invention itself, may be more fully understood from the following description of the drawings in which:
  • FIG. 1 is a block diagram which illustrates the flow of a packet from a virtual machine residing on physical server to a third party;
  • FIG. 1A is a diagram which illustrates the flow of Pserver to Pserver failover;
  • FIGS. 2 and 2A are flow diagrams which illustrates a process of sending a packet from a virtual machine residing on a physical server of a data center to a third party;
  • FIGS. 3 and 3A are flow diagrams which illustrates a process of sending a packet from a third party to a virtual machine residing on a physical server of a data center;
  • FIG. 4 is a block diagram of a communication network between a pair of virtual machines;
  • FIG. 5 is flow diagram which illustrates an exemplary load balancer operating process; and
  • FIG. 6 is flow diagram which illustrates an exemplary process of load balancer failover handling.
  • DETAILED DESCRIPTION
  • Referring now to FIG. 1, a network 10 (illustrated in the form of a network diagram) includes one or more physical servers each of which supports one or more virtual machines (where, as is know in the art, a virtual machine is a computer software application in which when executed on a physical server, simulates a physical computer). Thus, as noted physical servers 12 a and 12 b may each execute one or more virtual machines (e.g. virtual machine 14). As will be described in further detail below, each physical server may also execute one or more encoder/decoder modules, and one or more firewalls. The physical servers also have network interfaces including one or more network cards designated IB0 and IB1 in FIG. 1.
  • Each physical server may be connected via a network to one or more network switches 22. These network switches may be connected, via a network, to one or more gateways 24. The gateways 24 may in turn be connected via a network to one or more routers 28. The routers 28 may provide access to (e.g. be connected to) a wide area network 30, which may be an internet or a private wide area network. Third party computers 32 may communicate with the virtual machines 14 through the network infrastructure shown in FIG. 1.
  • The network infrastructure may include one or more load balancer modules (or more simply, “load balancers”) 26. These load balancers may be resident on and/or executed by the gateway machines. When network traffic arrives for a virtual machines, the load balancer may intercept the traffic and determine which virtual machine the traffic should be sent to. In an embodiment, the load balancer will choose the virtual machine having the least processing load that is capable of handling the traffic.
  • Since load balancers interact with multiple virtual machines, the load balancers may be resident upon gateway machines within the network infrastructure.
  • When a packet is received by the load balancer, the load balancer may partially decode the packet to determine whether the packet is being directed to a virtual machine that is being load balanced, and whether the destination virtual machine is a short cut to an arc or node that is being load balanced. If so, the load balancer then determines which node the packet is being sent to. Once this is determined, the load balancer can direct the packet to an appropriate node according to a load balancing scheme including but not limited to a round robin scheme, lowest load first, fastest throughput scheme, and the like.
  • The load balancer monitors the virtual machines in order to determine their current load. The virtual machines may include software that provides various measurements of performance and load. The load balancer can access these measurements to help in determining whether to send packets to the virtual machine. For example, the load balancer may receive measurements such as network traffic load, processor utilization, hard drive utilization, memory utilization, etc. If a virtual machine has a heavy load, the load balancing algorithm may indicate that the virtual machine is not a good candidate to receive more traffic.
  • The load balancer can also track and retain information about where packets are delivered. For example, if a third party user opens a connection to a load balanced virtual machine, the load balancer can retain information about that connection so that future network packets of the connection are always sent to the same virtual machine instead of being load balanced to other machines. This can eliminate the need for the user to re-authenticate on a different virtual machine if the load balancer changes the destination of the network traffic. For example, if a virtual machine is hosting a website that requires authentication, the connection to the website can remain with a single virtual machine because changing the destination of the packets could require the user to re-authenticate with the website.
  • The load balancer can also determine if a virtual machine is responding to network traffic. If the load balancer sends traffic to a virtual machine, and the virtual machine does not respond within a predetermined time period, the virtual machine may be removed from the load balancer's list of machines that it can send network traffic to.
  • In an embodiment, load balancing information is assigned through software. In other words, each gateway may make the same routing decision based upon source and destination IP addresses and ports. Preferably, this technique eliminates the need to synchronize the gateways on which the load balancers are executed. For example, the physical servers send updates about the virtual machines and their processing loads to the load balancers, but there may be no need to synchronize in the other direction and send information from the gateway to the physical server.
  • It should be understood that in accordance with the concepts, systems and techniques described herein, a physical server bank (i.e. a group of servers) may be divided into a number virtual machines (e.g. including virtual servers). Thus, a plurality of virtual machines may reside on a single physical server. Physical server banks provide physical resources that can be allocated to computing infrastructures. Further, the physical server bank may be divided into a number of virtual machines, where each virtual machine uses a portion of the physical server resources. In some applications, a single virtual machine may utilize one or more cores of the physical server while in other applications a single virtual machine may utilize a portion of a physical server core (e.g. two or more virtual machines may utilize a single core). Conversely, in other embodiments, a single physical server may be divided into multiple virtual machines in a similar manner.
  • Referring still to FIG. 1, the logical diagram network depicts the arrangement of system infrastructure and can be used to help explain how virtual traffic is routed.
  • The exemplary network of FIG. 1 includes two physical servers 12 a, 12 b and also designated as PERSERVER1 and PERSERVER2 in FIG. 1 on which are executing application software to implement virtual machines. Each Pserver has two interfaces, IB0 and IB1, each of which is connected to corresponding ones of a pair of switches SW1, SW2 (i.e. each interface is connected to one a distinct switch). In one embodiment, the system comprises only two switches with each switch having 48 ports. Thus, a relatively large number of physical servers may be coupled to each switch. Each switch connects to at least one internet gateway and each internet gateway connects to at least one distinct switch on one of the routers. Thus, given the full path any one wire can fail, any one switch can fail and one any internet gateway can fail, and anyone internet call router can fail, but the system still has full connectivity. It is significant to note that by providing the system having two switches, any one switch can fail and the system remains operational (i.e. the system has redundant paths and a fail over capability). Of course, the network of FIG. 1 is shown for exemplary purposes only. Other network infrastructures and topologies can be used as well.
  • Thus, infrastructure having redundant wiring and redundant cabling is provided and which can be used if the system is required to operate in a failover mode as described further herein (see “Flow: Pserver to Pserver fail over”).
  • Referring now to the Table below and to FIG. 1A, in view of the encoding and decoding described herein and in view of the redundancy described herein (e.g. two physical connections or wires coupled from one physical server to the other physical server), in the event that a physical server varies in-whole or in-part, the encoder decides which network path to use for communication, e.g. whether to send network communications to SW1 or SW2, to provide a communication path or another physical server. To make this decision, the system utilizes sessions. As used herein, the term “session” refers to a connection between two virtual network interface cares (NiCs) on different physical servers via the same fabric/network and a “session device” refers to a device associated with a session (one device is attached exactly to one fabric).
  • When the system sends traffic between two virtual machines (VMs), the system first checks to see whether traffic has been sent between the two VMs in the past. If the system has sent traffic between two VMs, then a session exists. If the system has not yet sent traffic between the two VMs, then the system decides that there is no pre-existing session. If there is no session, then the system creates a new session. At the beginning, the session on both wires is unresolved because the system does not yet have information about the state of the session.
  • Consider the following Table:
  • TABLE
    Session
    1 Session 2 Behavior
    Ok Ok Use last recent session
    Ok Fail* Use non-failed session
    Unresolved* Unresolved* Use both paths to send packet
    (track packet 10 on dest. To
    avoid dups(?)
    Fail* Fail* Drop
    Ok Unresolved* Use Ok session
    Fail* Unresolved* Use Unresolved session
  • For the entries marked with an asterisk (*), the system may continue to check these sessions in the background to determine if communication can be established.
  • Looking at the Table, certain entries list session1, session2, or both as unresolved. In cases where both sessions on both wires are unresolved, the system uses both paths to send the same packet. The system adds a sequence number to this packet because the system has the option that either one wire works or the other wire works or both wires work. The system detects whether both packets arrive twice by checking the sequence number and discards one copy so that a client only receives one packet and not two packets, in order to avoid duplicate packets).
  • If is found that the system is able to send the packets on a session then the system moves the session from the state of “unresolved” to the state of “OK.” The system has the option to utilize any combination of states e.g.: both have failed; both are OK; or one failed and one is OK.
  • If a packet is sent between two physical servers (Perservers), in the case where both sessions are okay (as indicated in the first row of the Table), the system simply uses the most recent session (e.g. if the last time wire one was used for the traffic, then wire one is simply used again).
  • In the case where one of the wires is not available (as indicated in the second row of the Table) system can use the session that is “OK” (as indicated in the first row of the table) and continue sending traffic along the path.
  • If a session is indicated as having a status of “Fail” or “Unresolved,” the system performs background checks by continuously or periodically trying to determine whether the session is now working again. Thus, the system allows changing a session state at any time and dynamically changes depending upon the actual state of physical wiring (i.e. whether a physical correction can be made). Thus, if the wiring begins to fail the state changes to Fail, if the wiring begins to operate properly the state changes to “OK”.
  • If a session is marked as “Unresolved”, this indicates that a packet has not yet been successfully transmitted and/or received over the session. Thus, in the case where one session is OK and the other “Unresolved”, the OK session is used since it is known to work.
  • In cases in which the session states are Fail and Unresolved, the system may choose to test the Unresolved session and not the failed session, because the state of the failed session is already known. Although it is unknown whether the session will work via unresolved, the reason for the unresolved state is simply that the system does not have any information. Once the packet is sent, the system learns the response of that packet (i.e. either that the session goes into a state of Fail or a state of OK). If the packet is sent into an unresolved session, the system will subsequently determine if the session is OK or failed.
  • From a client (or customer) perspective, the customer has an Ethernet network. The customer need not take any steps to make the network redundant, and need not use complicated bonding devices, routing algorithms, the system does all of that for the client designed in the virtual Ethernet.
  • The session information may be kept in the software stack that checks the sessions.
  • It should be noted that the technique described herein provides the customer within redundant network paths without requiring the virtual machine and the operating system of the customer to be configured in a certain way to make use of this redundancy.
  • Thus, by implementing the redundancy table in the software stack, the system is able to provide a redundancy characteristic without any special requirements on the virtual machine for the third party (i.e. the client need not configure anything on the client). In accordance with the concepts and techniques described herein, such redundancy is required in a way which is transparent to the client. That is, any client can set up a virtual machine with the network and has redundancy automatically built in.
  • FIGS. 2, 2A, 3, 3A, 5 and 6 are a series of flow diagrams showing the processing performed by a processing apparatus which may, for example, be provided as part of a network such as that shown in FIG. 1. The rectangular elements (e.g. block 40 in FIG. 2) in the flow diagram(s) are herein denoted “processing blocks” and represent steps or instructions or groups of instructions. Some of the processing blocks can represent an empirical procedure or a database operation or process while others can represent computer software instructions or groups of instructions. The diamond shaped elements in the flow diagrams (e.g. block 52 in FIG. 2A) are herein denoted “decision blocks” and represent steps or instructions or groups of instructions which affect the processing of the processing blocks. Thus, some of the processes described in the flow diagram may be implemented via computer software while others may be implemented in a different manner e.g. via an empirical procedure.
  • Alternatively, some of the processing and decision blocks can represent processes performed by functionally equivalent circuits such as a digital signal processor (DSP) circuit or an application specific integrated circuit (ASIC). The flow diagrams do not depict the syntax of any particular programming language. Rather, the flow diagrams illustrate the functional information one of ordinary skill in the art requires to perform the processes or to fabricate circuits or to generate computer software to perform the processing required of the particular apparatus. It should be noted that where computer software can be used, many routine program elements, such as initialization of loops and variables and the use of temporary variables are not shown. It will be appreciated by those of ordinary skill in the art that unless otherwise indicated herein, the particular sequence of processes described is illustrative only and can be varied without departing from the spirit of the invention.
  • Turning now to FIGS. 2 and 2A, a process is shown for sending a packet from a virtual machine (“VM”) to a third party server. When a client orders a virtual machine, the client may add a network card to the VM and, for each network card associated with that virtual machine, the system sends from its database (stack) the information to the physical server (Pserver) to start a VM with a given network card, MAC, a virtual network identifier (ID) (VNET ID), a clientlD, and a virtual gateway client ID.
  • The client id, the VNET ID and the MAC are described herein; the virtual gateway ip is an internet protocol (IP) address to which the network reacts or responds in a special way. If the virtual machine sends an IP packet to the IP address of the virtual gateway, then it is intercepted and routed via a virtual gateway ip.
  • It should be appreciated that this virtual gateway ip corresponds to the systems of an entire cluster of gateways. Typically, a system would have a default router and a default IP address. The system described herein, however, has a cluster and a fully redundant system with many paths and thus the gateway cluster has a relatively large number of IP addresses (e.g. about sixteen 16 different IP addresses in one embodiment) under which they can be reached. Thus, the system intercepts the traffic and sends a response to the virtual machine (e.g. an ARP reply response) to say it is a special MAC address that has been fixed throughout the systems (always the same one) which is entered by a network frame to be routed to the gateway.
  • It should be appreciated that the elements described above work in conjunction with each other. As an initial matter, the virtual machine may send a packet out onto the internet. Thus, when the VM determines that a router is needed (the normal standard routing mechanism), it sends an ARP request for the IP address of its default router. The system recognizes that ARP request because the system has information about the virtual gateway IP address and the system intercepts that packet sends back an ARP reply where the system puts a special MAC address into the MAC frame (i.e. if it is desired to get to the default router, it is necessary to use this MAC address in the internet frame).
  • The virtual machine does so with its standard IP stack and sends out the internet frame with the thus provided MAC address and the system, at that point, uses the redundancy mechanism to determine where to route the packet. Thus, the mechanisms described between the physical servers (Pservers) works between gateways (e.g. routed between IB0 or IB1 and the system sends the packet to any one of the gateways). Thus, if any one gateway fails, it does not cause the system to fail since the system includes a plurality of gateways any of which can be used. Thus, the purpose of the described technique is to allow the use of redundant gateways.
  • Significantly, as noted above, the system includes redundant gateways and redundant internet connections. Thus, if one of the gateways or the internet connections fail, the system utilizes the redundancy stack.
  • The number of gateways are selected based in large part upon the load placed upon the gateways. If the system recognizes that the gateways are busy, then another gateways is added.
  • As noted above, each physical server can have more than one virtual machine executing thereon. In one embodiment, the physical servers are limited to 62 virtual machines (i.e. 62 VMs per Pserver) with capacity to go up to several hundred. In one embodiment, a Pserver having 64 CPU cores will host 62 VMs. Thus, if available state of the art Pservers are limited to 64 cores, then the limit is set at 62 with 2 being reserved for the system. Thus, if servers having 128 cores become available, then the limit could be set at 126 with 2 being reserved for the system and so on an so forth. The cores that are held in reserve can be used, for example, to perform maintenance and management tasks on the Pserver. In various embodiments, more or less than 2 cores can be reserved to perform these tasks.
  • Alternatively, by eliminating a client guarantee of 1 CPU core (i.e. offering clients virtual machines that do not have a guarantee of 1 CPU core) then the number of VMs per Pserver can be increased. This can reduce hardware cost because the system can place many VMs (e.g. hundreds of VMs onto a single Pserver) which makes operation of the system less expensive. Alternatively, some computed metric can be established to set the number of VMs on a single Pserver, or slices of a core can be assigned to each client which again can establish the number of VMs on a Pserver.
  • In terms of the routing, when a virtual machine communicates with another virtual machine on the same physical server, little or no network traffic is required since the encoder and decoder are both present on each physical server. The packet sent out via a VM on a physical server will arrive at the decoder of the same physical server and will be treated just as if it were a packet coming from the outside the physical server. Thus, the packet need not go out on the physical server's network interface card (“NiC”) and onto the physical network, rather, it may simply move straight from the encoder to the decoder and not utilize any network bandwidth. To accomplish this, the system maps the memory area of the one virtual machine with the data to be sent to the other one into the memory area of the second virtual machine and notifies the second VM that it received data. This results in a very fast switching mechanism and system.
  • It should be appreciated that the network is dynamic and virtual machines may be moved from Pserver to Pserver relatively frequently. In one exemplary embodiment, the virtual machines reside on a Pserver for periods of time (e.g. hours or days, or weeks or months), then move to the next Pserver. This is done to continuously optimize the network and cut down on resources which are not being used or which cannot be used. For this reason, the full speed of the switching mechanism may not be made fully available to a client. If the full speed of this switching mechanism to were provided to a client, then they may observe a varying speed because, in such an embodiment, sometimes the VM must communicate with the same machine and sometimes the VM must communicate over the network. By limiting it all to the same speed and not using the associated MAC for speed in that aspect, it is still helpful for the system because it does not use any CPU cycles and does not result in network traffic. Thus, it makes the system more efficient and less expensive. For example, in various embodiments, the traffic is moved from one virtual machine to another using CPU-Cycles assigned to the Virtual machine(s) related to the move of data. Thus there may be a natural limit (the speed and number of cpu cycles/cores) which limits the speed of the traffic.
  • In certain instances, when memory is being mapped, the Pserver may introduce a delay between the time the memory is mapped and the time the recipient can access the mapped data. For example, the mapping operation may require only a single instruction to be executed by the CPU in order to map the entire set of data being communicated to the recipient. Because the mapping operation happens quickly, the recipient machine may not be ready to receive the data. Thus, adding a delay can reduce errors relating to the mapping of the data.
  • The manner in which a Pserver sends a packet to the gateway is next described. When a packet arrives at the gateway, information corresponding to the client id, the virtual network id, the MAC address, etc. is all included in the packet header. Additionally, whether the protocol is IP is known. In this case, if a packet arrives at the gateway and it is not IP, then it is dropped. In one embodiment, the gateway is configured to only communicate via IP to the outside world, i.e. the system may be configured to not support IPX or IPN routing to the outside. In other embodiments, the gateway may be configured to support IPX or IPN routing to the outside.
  • If the packet received by the gateway is an IP packet, then it is determined whether the destination IPv4 is a public IPv4. If it is not a public IPv4 address, then the system may determine that it is a virtual machine (VM) on a local LAN that is sending the packet to the gateway. In this case, the packet is taken and re-injected (i.e. forwarded by the gateway) into the LAN. This is done provided the virtual network ID (VNET ID) matches the network ID which sent the packet. Thus, even if the gateway is used, it may prevent packets from crossing borders between virtual networks. Thus, the system can prevent one client from injecting traffic into or receiving traffic from another client's network. In such cases, the packet may be either bounced and re-injected or dropped.
  • If the IPv4 is public, the system determines whether the IP address that the virtual machine sends is an address that is connected to the same network cluster as the system, or whether it is connected to an external network, such as the internet.
  • In some cases, a client may wish to browse the website from another client hosted by the same data center. In this case, the system may allow network traffic to flow from one client to another client (i.e. if a client has a website that is publically accessible, the server can be accessible from other client within the data center).
  • If the IPv4 is local, then the system changes the virtual network ID or client ID to one of the VM IDs in the network cluster and sends it back onto the network. If it is not local, then the packet is sent to the core routers and the packet is routed through the internet.
  • It should also be appreciated that the entire system is redundant and that the system can simulate (from the virtual machine) a single gateway at least in part because the gateway clusters are addressable with a single address.
  • In such an embodiment, the system may not require knowledge that a large number of gateways exist. The virtual machine is configured relatively simply and the standard configuration of a VM with a default router will lead to access to a number of different gateways and routing traffic throughout the network to simulate a router as much as possible, but in a redundant and performance enhancing way.
  • It should also be appreciated that the entire system can be scaled to provide increased or decreased performance (e.g. increased or decreased network bandwidth) such that, if desired, it is never necessary to have a bottleneck. This occurs due to the ability to add gateways, Pservers and other resources.
  • It should also be appreciated that during ARP processing, the system assigns the same virtual IP addresses and virtual MAC addresses to physical gateways. This is significant because many clients may have different IP addresses (e.g. clients having a private network address of 10.1.1.1. or 172.21.1). Thus, in the network of the system described herein, the same IP address can be used for multiple network devices attached to different virtual networks. For example, multiple devices can have the IP address 10.1.1.1 if so desired. The system described herein allows a client to use their preferred IP addresses or network, and the system provides the client with an IP address of a gateway corresponding to the chosen subnet. For example, if a client wishes to use the subnet 10.1.1.xxx, the system may provide a virtual gateway with an IP address of 10.1.1.254 (or any other address within the subnet 10.1.1.xxxx). Thus, clients are free to use whatever subnets or IP address ranges they desire.
  • Turning now to FIGS. 2 and 2A, processing or flow which takes place when a packet is sent from a virtual machine (e.g. VM1 in FIG. 1) to a third party host (e.g. third party host 32 in FIG. 1) first begins in processing block 40 in which a configuration process is performed. During configuration, network interface cards (NiCs), client identifiers (IDSs), virtual-gateway-internet-protocol addresses and media access can ( )addresses are established and configured. Processing then flows to processing block 42 in which a guest-IP stack sends an address resolution protocol (ARP) multicast for a virtual gateway IP.
  • In processing block 44 an ARP reply by an ARP spoofer in an encoder is provided on a physical server (Pserver). Next the Guest-IP stack sends a packet to a gateway MAC (to be encoded).
  • Processing then flows to processing block 48 in which the encoder determines the gateway to which it should send packets. It should be noted that in preferred embodiments, redundant, physical paths exist for each single virtual path. Processing then flows to processing block 50, in which the decoder on the gateway receives the packet.
  • Processing then proceeds to decision block 52 in which a determination is made as to whether the destination is IPV4 public. If it is determined that the destination is not public, then processing flows to decision block 54 where a decision is made as to whether a source VNET ID is equal to a destination VNET ID. If it is determined that the two values are not equal then the packet is dropped. If it is determined that the values are equal then the packet is re-injected into the network traffic.
  • If in decision block 52 a decision is made that the destination is public, then processing flows to decision block 60 in which it is determined whether the IPV4 address is local to the gateway cluster. If a decision is made that the address is not local to the gateway cluster then processing flows to processing block 64 and the packet is sent to a router. If, on the other hand, a decision is made that the packet is local to the gateway cluster then processing proceeds to processing block 62 where the VNET ID and CLIENT ID are swapped and the packet is re-encoded.
  • Referring now to FIGS. 3 and 3A, the flow of a packet from a third party server to a virtual machine (e.g. VM1 in FIG. 1) begins by configuring a NiC and all gateways as shown in processing blocks 70 and 72.
  • In processing block 74 a packet arrives at one of a plurality of gateways (e.g. gateway GWn) and then processing proceeds to decision block 76, in which a decision is made as to whether the IPV4 addresses exists in a match list. If the address does not exist in the match list, then the packet is dropped as shown in processing block 78.
  • If, on the other hand, there is a match, then processing proceeds to processing block 80 in which a packet is created and the packet is then sent to the appropriate physical server (PSERVER) as shown in processing block 82.
  • Processing then proceeds to decision block 84 where a decision is made as to whether the destination MAC address exists. A mac-address management tool, such as MC-Setup or a custom software tool, can be used to make the determination. If in decision block 84 a decision is made that the destination MAC address does not exist, then the packet is dropped as shown in processing block 85.
  • Otherwise, processing proceeds to decision block 86 in which a determination is made as to whether the source VNET ID is equal to the destination VNET ID. If the two values are not equal, then the packet is dropped as shown in processing block 85. If the values are equal, then processing proceeds to decision block 88 where a decision is made as to whether the address is local to physical server PSERVER. If a decision is made that the address is local, then processing proceeds to processing block 90 where the packet is decapsulated and delivered to the appropriate virtual machine. Otherwise, processing flows to processing block 92 where the packet is forwarded to a remote server and the processing begins again at decision block 84.
  • In the process of sending a packet from a third party server to a virtual machine, when a new VM is created, the system sends information to the Pserver. At this point, the system may send a packet from the internet to the virtual machine. It is noteworthy, to point out that the gateways are configured with the MAC address of the VMs with the public IPv4 address, the client ID and the V-Net ID. This is referred to as an IP Match Entry. The system has a list that is called IP-Match and these four numbers together are referred to as an IP Match Entry. The list is held in a table in kernel space on the gateway (e.g. in the NiC of the gateway) and is used to translate public IPv4 address into virtual machine addresses. The virtual machine addresses can include one or more of: IPv4 addresses, IPv6 addresses, customer IDs virtual machine IDs, PServer IDs, etc.
  • There are at least two ways these entries can be made. In one approach, the database connects directly to the gateways directly (i.e. the database communicates with the gateways and request that an IP Match Entry be added to the gateway). In another approach, referred as an auto-configuring approach, the gateways are configured from the Pserver. This is done since the information needed by the gateway is actually on the Pserver. Thus, when a Pserver starts a VM, the Pserver multicasts to the gateways the information it has and the gateways add this information to their IP Match and tables.
  • When the packet arrives on the gateway (e.g. the IPv4 packet arrives), the packet goes into the encoder and the system determines whether there is a match in the IP Match Table. If no match is found, the packet is dropped. It is assumed the IP Match Entry Table has a complete list of all IP addresses that run in the data center. Because of the cluster and zone environment approach used, a high degree of confidence exists in this assumption. The IP Match List is optimized to accommodate the large number of addresses (e.g. millions of IP addresses) and the system can simply match the addresses. For example, the IP Match List can be stored as a tree or other data structure to reduce the time required to search the IP Match List for an entry.
  • If the address matches one of the virtual machines in the data center, the system creates an ethoip6 packet, which uses the same mechanisms to create the IPv6 destination IP address from the net prefix and the MAC (the Net Prefix is an IPv6 identifier of the cluster and is added to the MAC). The MAC received the IP Match Entry so it has a complete IPv6 destination address to which to send the traffic. The IPv6 source address is the interface of the gateway from which it was received. Therefore, the system can distinguish whether the traffic came through one, two, three or N gateways. The system also adds the header with the remaining bit from the IP Match Entry.
  • When that is done, the IPv6 packet is transmitted to the physical server (PSERVER, in FIG. 1), at which point the same redundancy mechanism over two wires (described above) will be used. Therefore, the traffic will eventually arrive at a physical server destination and be processed in manner the same as or similar to that described above.
  • The system determines whether a destination MAC address belongs to the virtual machine and whether the source v-net id is the same as the destination v-net id. If so, the system checks to see whether the address is local to the Pserver. If a packet is received by the Pserver, the system determines whether there is an entry in the routing table on the Pserver. If so, the system can determine that the packet should be sent to one of the virtual machines, and forwards the packet to the virtual machine.
  • If it is determined that the packet is addressed to a virtual machine that does not reside (i.e. is not currently being executed by) the current Pserver, the Pserver forwards the packet to the proper Pserver, or re-inserts the packet into the network. As mentioned above, virtual machines may be moved from Pserver to Pserver. Thus, virtual machines move from Pserver to Pserver they can continue to receive network traffic.
  • Considering a scenario where a packet addressed to a particular virtual machine is received at the Pserver just after the virtual machine has been moved to a different Pserver, when the virtual machine was moved, an entry was made in the Pserver's table indicating which Pserver the virtual machine was moved to. When the first Pserver receives the packet, it determines that the virtual machine no longer resides on the first Pserver and forwards the packet to the Pserver listed in the table.
  • Virtual machines may move from Pserver to Pserver for a variety of reasons including, but not limited to: the inability to add more VMs to a Pserver; a Pserver not operating; a Pserver being overloaded, etc.
  • For another reason to move a VM from one Pserver, consider the scenario where 62 virtual machines are being executed by a Pserver. Now assume that a client requests a single 62 core virtual machine. The Pserver only has two free processor cores and cannot accommodate the request. Moving one or more VM form a core on one Pserver to a core on another Pserver can free up the Pserver so it can accommodate the request.
  • Furthermore, in some embodiments, it is possible to measure characteristics such as network traffic and I/O traffic and optimize to that as well. For example, if there are ten virtual machines that send each other a large amount of network traffic, it may be beneficial for them to reside on the same Pserver. Doing so can result in more efficient use of the hardware. For example, if the virtual machines reside on the same Pserver, the traffic between the virtual machines need not be inserted onto the physical network between Pservers.
  • Furthermore, if the client so desires, the client can request a VM to be moved to or from a particular Pserver. For example, the client may request that different VMs be executed by Pservers in different physical locations for security or reliability purposes.
  • Referring now to FIG. 4, a diagram of a communication network between a virtual machine 100 and a virtual machine 146 is shown. Virtual machines 100 and 146 may be software applications stored in computer readable storage medium and executable by a processor. The virtual machines 100 and 146 may simulate computers, i.e. they may provide services similar to or the same as services provided by a desktop computer, a server, a laptop, a cell phone, a mobile device, etc.
  • In an embodiment, the services provided by virtual machines 100 and 146 may include communication services, an operating system, hardware simulation, data processing services, etc. Each virtual machine 100 and 146 may also include a virtual (i.e. software based) processor that can execute computer readable code and software.
  • As shown in FIG. 4, a first virtual machine 100 includes a virtual network interface card (NIC) 102 and may include a MAC address 104. Similarly, virtual machine 146 may include a NIC 148 and a MAC address 150. NIC 102 and 148 may be virtual (i.e. software based) NIC cards that are part of the virtual machines 100 and 146. The MAC addresses 104 and 150 may be stored in memory and may provide the virtual NIC cards 102 and 148 with unique MAC addresses.
  • Virtual machines 100 and 146 may be implemented by physical servers. Physical servers may comprise physical hardware, e.g. a server computer, a series of server computers, etc. In an embodiment, a physical server may have multiple computer processor chips (processors). A physical server may, for example, have 1, 2, 4, 8, 32, 64, or more physical processors. These processors, along with other hardware and software resident in the physical server, may execute code that implements the virtual machines. The physical servers may also include other processing resources such as Ethernet cards (e.g. Ethernet cards 138 and 122), memory, storage such as hard disk drives, etc.
  • Although FIG. 4 shows each physical server as having a single virtual machine, each physical server may implement more than one physical machine. In an embodiment, a physical server may implement a number of virtual machines up to the number of physical processors in the server. For example, if a physical server has 64 processors, it may implement up to 64 virtual machines, each virtual machine having a physical processor assigned to it. In an embodiment, a physical server having 64 processors may reserve some of the processors for other functions, such as executing software or an operating system required to run on the physical server. For example, a physical server may reserve 62 processors for executing virtual machines, and may reserve 2 processors for executing other software.
  • In some instances, the physical server may assign multiple processors to a virtual machine. A virtual machine that requires more processing power may, for example, have 2, 4, 8, or more processors assigned. In other embodiments, a single physical processor in the physical server may be assigned to more than one virtual machine. In an embodiment, the physical server may reserve one or more processors to run other tasks and execute other software apart from the virtual machines. For example, the physical server may assign one or more processors to run the server's operating system, the server's processes, or other administrative and maintenance processes that help the physical server operate.
  • The virtual machines can also be scaled to be more or less powerful, depending upon a customer's needs for the virtual machine. If it is desired that the virtual machine scale up and become more powerful, the physical server can assign additional processors (and/or additional other computing resources) to the virtual machine. If it is desired that the virtual machine scale down and become less powerful, the physical server can re-assign processors and other resources from the virtual machine.
  • Each physical server may include one or more gateways having an encoder/decoder module (i.e. encoder/decoder 144 and encoder/decoder 108). These encoder/decoder modules may encode network traffic generated by the virtual machines, and/or decode network traffic received by the virtual machines.
  • Referring now to FIG. 4, a first virtual machine, VM1, having one or more network interface cards (NiC) (with only one network interface card NiC1 being shown in FIG. 4) and one or more corresponding media access control (MAC) addresses with one MAC address MAC1 being shown in the exemplary embodiment of FIG. 4. Each separate NiC has at least one MAC address.
  • When the first virtual machine transmits a packet to a second virtual machine 146, encoder/decoder 108 operates as an encoder and encoder/decoder 144 operates as a decoder. The opposite is, of course, true when VM 146 transmits a packet to VM 100.
  • Each MAC address is unique and centrally provisioned (i.e. uniquely assigned from a database). Thus, all MAC addresses are unique throughout the entire system.
  • If VM1 sends a packet to the encoder (IPv6dst), the encoder receives the packet with no special VLAN tagging required (i.e. it receives any ip traffic, ipx traffic, IPv6 traffic) and encodes it.
  • During the encoding process a IPv6 destination address (IPv6dst), a source address, and a header are added to the packet. The IPv6 addresses are used to route the Ethernet frame around the global network. The system calculates (i.e. derives) the IPv6 destination address by adding a network prefix, which is fixed in a data center (where each data center may have a certain network prefix). The system then attaches the MAC address to the packet.
  • Thus, the IPv6 address corresponds to the data center and/or the virtual machine's MAC address. The same process is used for the source address (i.e. the MAC address of the sending destination IPv6 of the virtual machine (e.g. IPv6 address of VM2 in FIG. 4 which is where the traffic is going).
  • This way the system can produce frames and other network traffic guaranteed to arrive at the right physical machine, because that is where IPv6 address is added. Whenever a virtual machine is assigned a certain MAC address the system makes sure that an IPv6 address is also added to the physical host (e.g. the physical server and/or a NIC card in the physical server) that corresponds to the MAC address.
  • The packet header includes a client id (e.g. a customer identifier) of the VNET ID. The client ID is also recorded in other parts of the system. For example, the client ID is associated with network traffic generated by VMs of the client, included in databases relating to client billing, etc. The VNET ID is a network identifier. Since a particular client can have multiple networks, VNET IDs are used to identify one or more of the client's networks. Both client IDs and VNET IDs are unique identifiers and may be assigned or tracked by a database. Once the client IDs and VNET IDs are included, the packet is sent to the host IPv6 stack and routed to the remote physical host, which then decodes the packet.
  • The decoder reads the information in the header and checks whether the virtual network id of the sending virtual machine is the same as or matches that of the receiving virtual machine. This way the system makes sure that Ethernet frames from one virtual network only stay in that virtual network. For example, this helps prevent traffic generated by one client's virtual machines from arriving at the virtual machine of another client. This is the system attaches the virtual network id in the header (i.e. the system handles this aspect, rather than the client) and is enforced in the network stack.
  • If the header matches, then the system strips away the header, examines the IPv6 destination and source, unpacks the Ethernet frame that the virtual machine 1 (VM1) has created, and feeds the Ethernet frame to virtual machine two (VM2), which then simply sees an Ethernet frame arriving. Thus, one clients' virtual machines sends and receives Ethernet traffic only from other virtual machines in the client's virtual network.
  • Each physical server may also implement one or more firewalls, such as firewalls 110 and 142. In an embodiment, these firewalls may be software-based firewalls that are executed by the core of a virtual machine. Accordingly, there may be a firewall for each virtual machine. This may allow the firewall to scale as the virtual machine scales. For example, if additional processors are allocated to the virtual machine to make the virtual machine run faster or more powerfully, the firewall may also run faster and more powerfully because it is executed by the core of the virtual machine. This means that the firewall can operate at top speed, or “line” speed because as the virtual machine becomes more powerful and requires more network traffic, the virtual machine also becomes more powerful and can handle the additional network traffic. Also, if a virtual machine is transferred or moved from one physical server to another, the firewall can also move with the virtual machine.
  • Many traditional networks require a cascaded firewall scheme. In an embodiment, each firewall implemented by a physical server can include a set of rules that is a superset of multiple firewalls. In other words, since there may be one firewall for each virtual machine, each firewall can include a super-set of rules and filters so that a hierarchy of firewalls is not necessary.
  • Since the firewall is implemented in software and executed by the core of a virtual machine, the firewall can also be configured to have custom traffic filters. For example, network packets in a virtual network between two virtual machines may include custom headers. These headers may include additional information that is not usually found in traditional network traffic. For example, the header may include an identifier of the recipient virtual machine, an identifier of the sender virtual machine, an identifier of a client who owns the virtual machine, an identifier of a recipient or source network of the packet, and identifier of a virtual network, etc. These custom filters can allow or reject traffic based on any combination of information in the custom header. For example, a firewall rule can be set up to check the header of network traffic, compare it to some or all of the custom header information, and reject any traffic coming from a particular virtual machine, except for traffic coming from port 22 of the virtual machine, for example. These custom rules can also help to prevent spoofed or fake packets from getting through to a virtual machine by providing additional methods of data validation, and by providing filters that are not dependent upon traditional network traffic identifiers such as IP address or MAC address.
  • Referring now to FIG. 5, load balancer decision flow at a gateway begins in block 160 where an incoming IP Packet is received. Next a decision is made as to whether the destination IP address exists in an internal match table. If the address is not in the match table then the packet is dropped as shown in processing block 164. Otherwise processing proceeds to decision block 166 where a decision is made if the destination MAC address exists in an internal match table. If it does not exist then processing proceeds to block 168 where the packet is processed as a non-load balanced packet. Otherwise processing proceeds to decision block 170 where a determination is made as to whether the entry exists for a search IP address and port and a destination IP address. If no match exists then processing proceeds to block 172 and the destination MAC address is used for sending the packet. Processing then proceeds to block 174 where the packet is wrapped into ethoip6 and transmitted to the destination MAC.
  • If in decision block 170 the entry is not found then processing flows to decision block 176 where a lookup is made for the destination IP LB-configuration in the LB realm table. If the entry is not found then the packet is dropped as shown in processing block 178. If the entry is found, then processing proceeds to decision block 180 where a destination MAC is chosen. If no destination MAC is found, then the packet is dropped as shown in processing block 178. If the destination MAC is found then processing flow to processing block 182 where a cache entry session is created. Processing then flows back to decision block 170.
  • Referring now to FIG. 6, a process for load balancer failover handling is shown. In processing block 190, a customer defined wait period is observed. Processing then flows to decision block 192, where a ping is sent to a desired destination. If a correct reply is not received then processing flows to decision block 194 where a decision is made as to whether the NiC should be marked as inactive. If the NiC should not be marked as inactive, then processing returns to processing block 190. If a decision is made that the NiC should be marked as inactive, then processing flows to processing block 196 and a message is sent to the appropriate gateway for deactivation of the LB node. Processing then proceeds to block 198 where the NIC of the virtual machine is marked as deactivated. Processing then returns to processing block 190. It should be noted that the processing in decision blocks 200-206 is optional.
  • If in decision block 192 the check is okay, then processing flows to decision block 200 where a check is made to determine if a service port on the destination IP is reachable. If the check fails, then processing flows to decision block 194.
  • If the check is okay, then processing proceeds to decision block 202 where a UDP is checked. If the UDP check fails then processing flows to decision block 194. If the UDP check succeeds, then processing flows to decision block 204 where a TCP reply is checked. If the TCP reply fails then processing flows to block 194. If the TCP reply is okay then processing flows to decision block 206 where more tests may be performed. If the any of the tests fail, then processing flows to block 194, otherwise, processing flows to decision block 208.
  • In decision block 208 a decision is made as to whether the NIC should be marked as deactivated. If the NIC should not be marked as deactivated, then processing flows to block 190. If a decision is made that the NIC should be deactivated then processing flows to blocks 210 and 212 where the NIC of the VM is marked as deactivated and a message is sent to the gateway to activate the LB-Node.
  • Having described preferred embodiments of the invention it will now become apparent to those of ordinary skill in the art that other embodiments incorporating these concepts may be used. Accordingly, it is submitted that the invention should not be limited to the described embodiments but rather should be limited only by the spirit and scope of the appended claims.
  • The systems and methods described herein may be implemented hardware, software, or a combination. Software may comprise software instructions stored on one or more computer readable medium which, when executed by one or more processors, cause the processors to perform operations that implement the systems and methods.

Claims (28)

1. A system comprising:
a first virtual machine executed by a first physical server connected to a physical network;
a second virtual machine executed by a second physical server connected to the physical network, wherein the first and second virtual machines are connected to a same virtual network;
a gateway device configured to route network traffic through the physical network to and from the first and second virtual machines;
a load balancer module executed by the gateway device, the load balancer module configured to:
at least partially decode the network traffic to identify a destination address of the network traffic;
determine if the destination address is the address of a load-balanced virtual machine; and
if the destination address is the address of a load-balanced virtual machine, route the network traffic to a destination virtual machine according to a load-balancing scheme.
2. The system of claim 1 wherein the first and second virtual machines provide load information to the load balancer module.
3. The system of claim 2 wherein the load information includes processor utilization, network utilization, hard drive utilization, a number of load-balanced network packets received, a number of jobs being executed by the virtual machine, a number of threads being executed by a processor of the virtual machine, a number of processes being executed by the virtual machine, memory utilization
4. The system of claim 1 wherein the gateway device is a physical processing device coupled to the physical network.
5. The system of claim 4 wherein the load balancer module is a software module stored on physical, hardware storage of the gateway device and executed by a processor of the gateway device.
6. The system of claim 1 wherein the load-balancing scheme comprises a round robin scheme, a lowest load first scheme, or a fastest throughput scheme.
7. The system of claim 1 wherein the load balancer is configured to continuously or periodically monitor a current load of the virtual machines.
8. The system of claim 1 wherein the load balancer module includes a list of where recent network traffic has been sent by the load balancer module.
9. The system of claim 1 wherein the load balancer is configured to determine whether a destination virtual machine is responding to network traffic by measuring whether the destination virtual machine responds to the network traffic within a predetermined time period.
10. The system of claim 1 wherein the system contains multiple gateways and multiple load balancing modules, and each load balancing module uses a same routing algorithm to route the network traffic to load balanced virtual machines.
11. The system of claim 10 wherein the routing algorithm is assigned and updated via software.
12. The system of claim 1 wherein the load balancing module comprises a load balancing match table which includes network addresses of load-balanced virtual machines.
13. The system of claim 12 wherein the load balancing module is configured to determining whether the destination address is a destination address of a load-balanced virtual machine by matching the destination address to one or more of the network addresses in the load balancing match table.
14. The system of claim 13 wherein the load balancing machine is configured to route the network traffic without utilizing a load balancing scheme if the destination address does not match one or more of the networking addresses in the load balancing match table.
15. A method comprising:
executing a first virtual machine by a first physical server connected to a physical network;
executing a second virtual machine by a second physical server connected to the physical network, wherein the first and second virtual machines are connected to a same virtual network;
connecting a gateway device to the physical network, the gateway device configured to route network traffic through the physical network to and from the first and second virtual machines;
executing a load balancer module by the gateway device, the load balancer module configured to:
at least partially decode the network traffic to identify a destination address of the network traffic;
determine if the destination address is the address of a load-balanced virtual machine; and
if the destination address is the address of a load-balanced virtual machine, route the network traffic to a destination virtual machine according to a load-balancing scheme.
16. The method of claim 15 further comprising provide load information to the load balancer module from the first and second virtual machines.
17. The method of claim 16 wherein the load information includes processor utilization, network utilization, hard drive utilization, a number of load-balanced network packets received, a number of jobs being executed by the virtual machine, a number of threads being executed by a processor of the virtual machine, a number of processes being executed by the virtual machine, memory utilization
18. The method of claim 15 wherein the gateway device is a physical processing device coupled to the physical network.
19. The method of claim 18 wherein the load balancer module is a software module stored on physical, hardware storage of the gateway device and executed by a processor of the gateway device.
20. The method of claim 15 wherein the load-balancing scheme comprises a round robin scheme, a lowest load first scheme, or a fastest throughput scheme.
21. The method of claim 15 further comprising continuously or periodically monitoring a current load of the virtual machines.
22. The method of claim 15 wherein the load balancer module includes a list of where recent network traffic has been sent by the load balancer module.
23. The method of claim 15 further comprising determining, by the load balancer module, whether a destination virtual machine is responding to network traffic by measuring whether the destination virtual machine responds to the network traffic within a predetermined time period.
24. The method of claim 15 wherein the system contains multiple gateways and multiple load balancing modules, wherein the method further comprises routing network traffic by the multiple load balancing modules according to a same routing algorithm to route the network traffic to load balanced virtual machines.
25. The method of claim 24 further comprising assigning and updating the routing algorithm via software.
26. The method of claim 15 wherein the load balancing module comprises a load balancing match table which includes network addresses of load-balanced virtual machines.
27. The method of claim 26 further comprising determining, by the load balancing module, whether the destination address is a destination address of a load-balanced virtual machine by matching the destination address to one or more of the network addresses in the load balancing match table.
28. The method of claim 27 further comprising routing the network traffic, by the load balancing machine, without utilizing a load balancing scheme if the destination address does not match one or more of the networking addresses in the load balancing match table.
US14/200,935 2013-03-15 2014-03-07 Load balancer and related techniques Expired - Fee Related US9253245B2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/200,935 US9253245B2 (en) 2013-03-15 2014-03-07 Load balancer and related techniques
PCT/US2014/027112 WO2014152242A1 (en) 2013-03-15 2014-03-14 Network stack and related techniques

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201361801391P 2013-03-15 2013-03-15
US14/200,935 US9253245B2 (en) 2013-03-15 2014-03-07 Load balancer and related techniques

Publications (2)

Publication Number Publication Date
US20140280969A1 true US20140280969A1 (en) 2014-09-18
US9253245B2 US9253245B2 (en) 2016-02-02

Family

ID=51533591

Family Applications (3)

Application Number Title Priority Date Filing Date
US14/200,948 Active 2034-03-12 US9888055B2 (en) 2013-03-15 2014-03-07 Firewall for a virtual network and related techniques
US14/200,935 Expired - Fee Related US9253245B2 (en) 2013-03-15 2014-03-07 Load balancer and related techniques
US14/200,784 Abandoned US20140280775A1 (en) 2013-03-15 2014-03-07 Network Stack and Related Techniques

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/200,948 Active 2034-03-12 US9888055B2 (en) 2013-03-15 2014-03-07 Firewall for a virtual network and related techniques

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/200,784 Abandoned US20140280775A1 (en) 2013-03-15 2014-03-07 Network Stack and Related Techniques

Country Status (2)

Country Link
US (3) US9888055B2 (en)
WO (1) WO2014152242A1 (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150081400A1 (en) * 2013-09-19 2015-03-19 Infosys Limited Watching ARM
US20170118251A1 (en) * 2013-11-18 2017-04-27 Amazon Technologies, Inc. Account management services for load balancers
EP3229182A1 (en) 2016-04-05 2017-10-11 Teridion Technologies Ltd. Global optimazation and load balancing in networks
US20180139122A1 (en) * 2016-11-17 2018-05-17 Nicira, Inc. Enablement of multi-path routing in virtual edge systems
US10084855B2 (en) * 2017-01-23 2018-09-25 Akamai Technologies, Inc. Pixel-based load balancing
US10447591B2 (en) * 2016-08-30 2019-10-15 Oracle International Corporation Executing multiple virtual private network (VPN) endpoints associated with an endpoint pool address
US10855575B2 (en) * 2019-03-06 2020-12-01 Hewlett Packard Enterprise Development Lp Adaptive traffic routing in a software-defined wide area network
US10895984B2 (en) * 2013-09-17 2021-01-19 Netapp, Inc. Fabric attached storage
US11068294B2 (en) * 2015-11-26 2021-07-20 Telefonaktiebolaget Lm Ericsson (Publ) Balancing processing loads of virtual machines
US11134126B2 (en) 2019-03-06 2021-09-28 Hewlett Packard Enterprise Development Lp Adaptive routing of branch traffic in software-defined wide area network (SDWAN) deployments
US20210329486A1 (en) * 2020-04-15 2021-10-21 XCOM Labs, Inc. System and method for reducing data packet processing false alarms
US11228527B2 (en) * 2016-12-21 2022-01-18 Vmware, Inc. Load balancing between edge systems in a high availability edge system pair
US11438374B2 (en) * 2015-08-18 2022-09-06 Acronis International Gmbh Agentless security of virtual machines for outbound transmissions using a network interface controller

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9888055B2 (en) * 2013-03-15 2018-02-06 Profitbricks Gmbh Firewall for a virtual network and related techniques
US10667293B2 (en) * 2014-07-11 2020-05-26 Sony Corporation Information processing device, information processing method, and program
JP2018502385A (en) 2014-12-08 2018-01-25 アンブラ テクノロジーズ リミテッドUmbra Technologies Ltd. System and method for content retrieval from a remote network region
EP3243314A4 (en) 2015-01-06 2018-09-05 Umbra Technologies Ltd. System and method for neutral application programming interface
WO2016123293A1 (en) 2015-01-28 2016-08-04 Umbra Technologies Ltd. System and method for a global virtual network
JP6265158B2 (en) * 2015-03-27 2018-01-24 横河電機株式会社 Electronics
US10305816B1 (en) 2015-03-31 2019-05-28 Cisco Technology, Inc. Adjustable bit mask for high-speed native load balancing on a switch
CN107852604B (en) 2015-04-07 2021-12-03 安博科技有限公司 System for providing Global Virtual Network (GVN)
WO2016198961A2 (en) 2015-06-11 2016-12-15 Umbra Technologies Ltd. System and method for network tapestry multiprotocol integration
ES2931177T3 (en) 2015-12-11 2022-12-27 Umbra Tech Ltd System and method for launching information through a network tapestry and granularity of a brand
US10367655B2 (en) 2016-01-25 2019-07-30 Alibaba Group Holding Limited Network system and method for connecting a private network with a virtual private network
CN107086966B (en) * 2016-02-16 2021-07-27 阿里巴巴集团控股有限公司 Network load balancing, control and network interaction method and device
US10922286B2 (en) 2016-04-26 2021-02-16 UMBRA Technologies Limited Network Slinghop via tapestry slingshot
US20190097940A1 (en) * 2016-06-15 2019-03-28 Alibaba Group Holding Limited Network system and method for cross region virtual private network peering
US10484332B2 (en) * 2016-12-02 2019-11-19 Vmware, Inc. Application based network traffic management
US10616339B2 (en) 2017-11-28 2020-04-07 Dell Products, L.P. System and method to configure, manage, and monitor stacking of ethernet devices in a software defined network
US10230683B1 (en) 2018-02-09 2019-03-12 Capital One Services, Llc Routing for large server deployments
CN112565320B (en) * 2019-09-25 2021-11-02 大唐移动通信设备有限公司 Load balancing method and device
CN114760317A (en) * 2022-03-18 2022-07-15 中国建设银行股份有限公司 Fault detection method of virtual gateway cluster and related equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120144014A1 (en) * 2010-12-01 2012-06-07 Cisco Technology, Inc. Directing data flows in data centers with clustering services
US20120207174A1 (en) * 2011-02-10 2012-08-16 Choung-Yaw Michael Shieh Distributed service processing of network gateways using virtual machines
US20130019018A1 (en) * 2011-07-12 2013-01-17 Bank Of America Corporation Optimized service integration
US20130136126A1 (en) * 2011-11-30 2013-05-30 Industrial Technology Research Institute Data center network system and packet forwarding method thereof
US20140108655A1 (en) * 2012-10-16 2014-04-17 Microsoft Corporation Load balancer bypass

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040264402A9 (en) 1995-06-01 2004-12-30 Padcom. Inc. Port routing functionality
US6363421B2 (en) 1998-05-31 2002-03-26 Lucent Technologies, Inc. Method for computer internet remote management of a telecommunication network element
US8776050B2 (en) 2003-08-20 2014-07-08 Oracle International Corporation Distributed virtual machine monitor for managing multiple virtual resources across multiple physical nodes
US7631120B2 (en) 2004-08-24 2009-12-08 Symantec Operating Corporation Methods and apparatus for optimally selecting a storage buffer for the storage of data
US7725760B2 (en) 2003-09-23 2010-05-25 Symantec Operating Corporation Data storage system
US7577807B2 (en) 2003-09-23 2009-08-18 Symantec Operating Corporation Methods and devices for restoring a portion of a data store
WO2005036367A2 (en) 2003-10-08 2005-04-21 Unisys Corporation Virtual data center that allocates and manages system resources across multiple nodes
US7171532B2 (en) 2004-08-30 2007-01-30 Hitachi, Ltd. Method and system for data lifecycle management in an external storage linkage environment
JP2006134021A (en) 2004-11-05 2006-05-25 Hitachi Ltd Storage system and configuration management method therefor
US7730183B2 (en) 2005-01-13 2010-06-01 Microsoft Corporation System and method for generating virtual networks
US7886351B2 (en) * 2006-06-19 2011-02-08 Microsoft Corporation Network aware firewall
US20090112919A1 (en) 2007-10-26 2009-04-30 Qlayer Nv Method and system to model and create a virtual private datacenter
US20090249471A1 (en) 2008-03-27 2009-10-01 Moshe Litvin Reversible firewall policies
US8484355B1 (en) 2008-05-20 2013-07-09 Verizon Patent And Licensing Inc. System and method for customer provisioning in a utility computing platform
JP2010072753A (en) 2008-09-16 2010-04-02 Hitachi Ltd Storage system equipped with automatic extension volume and power saving function
US8479266B1 (en) * 2008-11-13 2013-07-02 Sprint Communications Company L.P. Network assignment appeal architecture and process
US8661434B1 (en) * 2009-08-05 2014-02-25 Trend Micro Incorporated Migration of computer security modules in a virtual machine environment
JP4815518B2 (en) 2009-09-11 2011-11-16 株式会社日立製作所 Computer system in which capacity virtualization is performed in accordance with Thin-Provisioning technology in both storage system and server computer
CN104065555B (en) 2009-09-24 2018-09-18 日本电气株式会社 Communication identification method between communication identification system and virtual server between virtual server
WO2011096014A1 (en) 2010-02-05 2011-08-11 株式会社日立製作所 Computer system linking to virtual machines and performing thin-provisioning volume management, computer, and method
US9323689B2 (en) 2010-04-30 2016-04-26 Netapp, Inc. I/O bandwidth reduction using storage-level common page information
FR2960368B1 (en) * 2010-05-21 2013-03-15 Thales Sa SECURE INTERCONNECTION SYSTEM BETWEEN TWO PUBLIC NETWORKS
US9118591B2 (en) 2010-07-30 2015-08-25 Broadcom Corporation Distributed switch domain of heterogeneous components
US8612744B2 (en) * 2011-02-10 2013-12-17 Varmour Networks, Inc. Distributed firewall architecture using virtual machines
US9154327B1 (en) * 2011-05-27 2015-10-06 Cisco Technology, Inc. User-configured on-demand virtual layer-2 network for infrastructure-as-a-service (IaaS) on a hybrid cloud network
CN102263704B (en) * 2011-09-01 2014-03-26 杭州华三通信技术有限公司 Topology construction method and device supporting layer 2 interconnection of data centers
US8959523B2 (en) 2012-03-30 2015-02-17 International Business Machines Corporation Automated virtual machine placement planning using different placement solutions at different hierarchical tree levels
US9116736B2 (en) * 2012-04-02 2015-08-25 Cisco Technology, Inc. Virtualized movement of enhanced network services associated with a virtual machine
GB2506684A (en) 2012-10-08 2014-04-09 Ibm Migration of a virtual machine between hypervisors
US9888055B2 (en) * 2013-03-15 2018-02-06 Profitbricks Gmbh Firewall for a virtual network and related techniques
US9639459B2 (en) 2013-06-04 2017-05-02 Globalfoundries Inc. I/O latency and IOPs performance in thin provisioned volumes
US9454314B2 (en) 2014-03-07 2016-09-27 ProfitBricks, Inc. Systems and methods for creating an image of a virtual storage device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120144014A1 (en) * 2010-12-01 2012-06-07 Cisco Technology, Inc. Directing data flows in data centers with clustering services
US20120207174A1 (en) * 2011-02-10 2012-08-16 Choung-Yaw Michael Shieh Distributed service processing of network gateways using virtual machines
US20130019018A1 (en) * 2011-07-12 2013-01-17 Bank Of America Corporation Optimized service integration
US20130136126A1 (en) * 2011-11-30 2013-05-30 Industrial Technology Research Institute Data center network system and packet forwarding method thereof
US20140108655A1 (en) * 2012-10-16 2014-04-17 Microsoft Corporation Load balancer bypass

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10895984B2 (en) * 2013-09-17 2021-01-19 Netapp, Inc. Fabric attached storage
US20150081400A1 (en) * 2013-09-19 2015-03-19 Infosys Limited Watching ARM
US20170118251A1 (en) * 2013-11-18 2017-04-27 Amazon Technologies, Inc. Account management services for load balancers
US9900350B2 (en) * 2013-11-18 2018-02-20 Amazon Technologies, Inc. Account management services for load balancers
US20180275765A1 (en) * 2013-11-18 2018-09-27 Amazon Technologies, Inc. Account management services for load balancers
US10936078B2 (en) * 2013-11-18 2021-03-02 Amazon Technologies, Inc. Account management services for load balancers
US11438374B2 (en) * 2015-08-18 2022-09-06 Acronis International Gmbh Agentless security of virtual machines for outbound transmissions using a network interface controller
US11743289B2 (en) * 2015-08-18 2023-08-29 Acronis International Gmbh Managing transmissions of virtual machines using a network interface controller
US20220377106A1 (en) * 2015-08-18 2022-11-24 Acronis International Gmbh Managing transmissions of virtual machines using a network interface controller
US11068294B2 (en) * 2015-11-26 2021-07-20 Telefonaktiebolaget Lm Ericsson (Publ) Balancing processing loads of virtual machines
EP3229182A1 (en) 2016-04-05 2017-10-11 Teridion Technologies Ltd. Global optimazation and load balancing in networks
US10425340B2 (en) 2016-04-05 2019-09-24 Teridion Technologies Ltd Global optimization and load balancing in networks
US10447591B2 (en) * 2016-08-30 2019-10-15 Oracle International Corporation Executing multiple virtual private network (VPN) endpoints associated with an endpoint pool address
US10484279B2 (en) 2016-08-30 2019-11-19 Oracle International Corporation Executing multiple virtual private network (VPN) endpoints associated with an endpoint pool address
US10700960B2 (en) * 2016-11-17 2020-06-30 Nicira, Inc. Enablement of multi-path routing in virtual edge systems
US20180139122A1 (en) * 2016-11-17 2018-05-17 Nicira, Inc. Enablement of multi-path routing in virtual edge systems
US11296978B2 (en) * 2016-11-17 2022-04-05 Nicira, Inc. Enablement of multi-path routing in virtual edge systems
US11228527B2 (en) * 2016-12-21 2022-01-18 Vmware, Inc. Load balancing between edge systems in a high availability edge system pair
US10542080B2 (en) 2017-01-23 2020-01-21 Akamai Technologies Inc. Pixel-based load balancing
US10084855B2 (en) * 2017-01-23 2018-09-25 Akamai Technologies, Inc. Pixel-based load balancing
US11134126B2 (en) 2019-03-06 2021-09-28 Hewlett Packard Enterprise Development Lp Adaptive routing of branch traffic in software-defined wide area network (SDWAN) deployments
US10855575B2 (en) * 2019-03-06 2020-12-01 Hewlett Packard Enterprise Development Lp Adaptive traffic routing in a software-defined wide area network
US20210329486A1 (en) * 2020-04-15 2021-10-21 XCOM Labs, Inc. System and method for reducing data packet processing false alarms
US12088499B2 (en) * 2020-04-15 2024-09-10 Virewirx, Inc. System and method for reducing data packet processing false alarms

Also Published As

Publication number Publication date
US9253245B2 (en) 2016-02-02
US20140280775A1 (en) 2014-09-18
WO2014152242A1 (en) 2014-09-25
US9888055B2 (en) 2018-02-06
US20140280911A1 (en) 2014-09-18

Similar Documents

Publication Publication Date Title
US9253245B2 (en) Load balancer and related techniques
US10917351B2 (en) Reliable load-balancer using segment routing and real-time application monitoring
US10911398B2 (en) Packet generation method based on server cluster and load balancer
JP6445015B2 (en) System and method for providing data services in engineered systems for execution of middleware and applications
US10749805B2 (en) Statistical collection in a network switch natively configured as a load balancer
US10630710B2 (en) Systems and methods of stateless processing in a fault-tolerant microservice environment
US10171362B1 (en) System and method for minimizing disruption from failed service nodes
EP2740242B1 (en) System and method for implementing and managing virtual networks
US10848432B2 (en) Switch fabric based load balancing
US10511514B1 (en) Node-specific probes in a native load balancer
US10091112B1 (en) Highly-scalable virtual IP addresses in a load balancing switch
US10110668B1 (en) System and method for monitoring service nodes
US10171361B1 (en) Service-specific probes in a native load balancer
US11362863B2 (en) Handling packets travelling from logical service routers (SRs) for active-active stateful service insertion
US9491098B1 (en) Transparent network multipath utilization through encapsulation
US12034637B1 (en) Network devices for stateful transmission of network traffic
Mwangama et al. Towards a Cloud Native Micro-services Architecture for Telcos
WO2016068968A1 (en) Alternate address network login
IX 13th USENIX Symposium on Networked Systems Design and Implementation
Κωνσταντινίδης Experimental study of data center network load balancing mechanisms

Legal Events

Date Code Title Description
AS Assignment

Owner name: PROFITBRICKS GMBH, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WOOD, CONRAD N.;WEISS, ACHIM;REEL/FRAME:032460/0185

Effective date: 20140312

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAT HOLDER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: LTOS); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20200202

PRDP Patent reinstated due to the acceptance of a late maintenance fee

Effective date: 20211210

FEPP Fee payment procedure

Free format text: PETITION RELATED TO MAINTENANCE FEES FILED (ORIGINAL EVENT CODE: PMFP); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PETITION RELATED TO MAINTENANCE FEES GRANTED (ORIGINAL EVENT CODE: PMFG); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: SURCHARGE, PETITION TO ACCEPT PYMT AFTER EXP, UNINTENTIONAL (ORIGINAL EVENT CODE: M1558); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20240202